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I. INTRODUCTION 

Hie subject of access control ^mechanlsiBS In computer systems is concerned 
with effective means to protect the anonymitv of private Information on the one 
handt and to regulite the access to shareable Information on the other hand. 
Effective meahs^for access control may be considered on three levels: menory 
level, process level and logical level. 

At the memory level » access control mechanisms are chose vhich regulate 
access to memoxy in terms of units of memory. The main point is that protection 
is of the containers, i.e., the memoxy units, not~the contents. As a consequence, 
everything inside the container Is subject to the same access control as the 
enclosure itself. Furthermore, the contents are safe only as long as they are 
kept in the same containers. 

Typicaiiy, physical memory protection sdiemes employ memory bounds registers 
or storage protection **keys*' which control access to bounded memory areas. Other, 
more sophisticated, schemes are possible. The Idea of having an m x m matrix 
of control bits to keep track of access rights to « meB^)ry areas has been advanced 
[!]• For example 9 an entry ..A^^ would determine the access rl^ts to ±^th 
area from the j-th area. The A^^^ msy correspond to various access rl^ts such 
as read-only, read/write, execute-only and privileged mode. 

In general, one user's access rl^ts to an area may differ considerably 
from another user's access rights to the same area. In a multi-programming 
and shared data base environment, the system must therefore provide dynamically 
different access matrices for different users. The use of virtual memory may, 
therefore, enhance the implementation of the matrix scheme. Here, page and segment 
tables are consulted by the hardware at instruction decoding time. Each user is 
assigned his own tables and therefore cannot get into a segment of memory which 
does not have an entry in those tables. As a result, sophisticated schemes such 
as the access matrix are more easily implemented with virtual memory. A good 



case of such implementation is presented in the Conference by our first speaker 
[2], Y^t, even in virtual memory » we note that the protected areas are again units 
of memory* 

The second level of access control is called process access control. A 
process is simply a set of programs and their associated data* Thus, unlike 
memory protection, the notion of process protection and control is concerned with 
access to and protection of programs. To this end, we must develop mechanisms 
which can determine when and under what conditions programs can pass control from 
one to another* In other words, the mechanisms must be able to monitor the 
execution of programs in terms of their calls, returns and transfer of parameters. 

An elaborate process access control mechanism was proposed and known as 
the *'ring mechanism" [3}. This concentric ring mechanism allows one program 
to give control to another without violating any of the access control rights 
of either program, thereby safeguarding each program's working tables, data, 
intermediate results, etc. Conceptually, the concentric ring mechanism requires 
the user to arrange his processes hierarchically, i.e., processes at the lower 
part of the hierarchy (i.e., outer rings) have less privileged access ri^ts. 
This mechanism can be iiiq[>lemented in a computer whether or not it has virtual 
memory. Therefore, one should not indulge in the misconception that virtual memory 
protection and process protection are one and the same. 

The hi^est level of access control is logical. We feel that, in a large 
data base environment, the user will first organize his data into some logical 
structure. He will then refer to his structured data in terms of logical entities 
such as fields, arrays, records and files. The important point is that these 
entities are logical units of information which may have little resemblance to 
their physical or virtual storage images. By allowing the user to associate 
access control requireoients and protection measures with the logical units, the 
access control mechanism can facilitate direct control and protection of the 
information regardless of the whereabouts of that information. Furthermore, the 
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mechanism does not require the user to be familiar with the physical or virtual 
storage structure of the computer system. 

Logical access control mechanism must therefore have the facility for the 
user to describe his shareable and private data in terms of logical entities of 
the data base, to assign access rights and protection requirements to these 
entities, to determine the collections of these entities and the types of access 
that other users may have, and to incorporate additional authentication and 
checking measures in terms of procedures • 

This paper is basically a review of the logical access control mechanistms 
implemented in two conqputer systems. The first computer system, known as the 
PSF, is an on-line, multi*access operating sy:»tem with an advanced data base 
management capability on an IBM 7040/FDP/ 8/DEC 338 coupled coiq>uter configuration 
(see Fig. 1 and Fig. 2). Research and development period of PSF covers the years 
between 1965 and 1968._ It was in operation until 1971. Documentation on PSF's 
data base management and access control capability can be found in [4]. For a 



brief introduction to PSF's access control mechanism the reader may refer to 
I [5]. Subsequent evaluation and generalization of the PSF logical access control 

1 mechanism can be found in [6,11]. The second computer system, known as the EDMF, 

is a time-sharing operating system with extended data base management capability 
t on a RCA SPECTRA 70/46 virtual memory conqfuter (see Fig. 3 and Fig. 4). Research 

and development period of the EWff covers the years from 1968 to 1971. It is 
presently operational. Documentation on EDMF's access control mechanism can be 
found in [7]. For a brief introduction to EDMF, the reader may refer to [8]. 

The software experimentation on logical access control mechanisms in these 
computer systems is aimed to understand the working principles and requirements 
of the mechanisms with a view toward their hardware iin>lementations. It is hoped 
that a good understanding of the experimentation can lead to a better and 
useful implementation of logical access control mechanisms in hardware. To this 
O end, we have chartered our present research efforts. 

ERIC 
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Work on logical access control mechanisms does not^ of course, confined to 
the aforementioned references* Several recent software attempts at access 
control mechanisms can be found in [9t 10]. 



II. A LOGICAL ACCESS CONTROL SYSTEM 

It Is not possible to review in great details the complex logical access 
control mechanisms of PSF and EDMF in this short paper. For this reason we have 
attempted to present a simple system on which sotue of the important concepts and 
salient features of these mechanisms can be elaborated and from which an overall 
understanding of these mechanisms may be achieved. 

Basically, the logical access control system consists of three parts: 

(1) A shared data base to which access must be controlled, 

(2) A group <|f users whose access to the data base must be regulated. 

(3) A set of mechanisms which govern the accessing of the data base by 
the users. 

In order to develop the system, solutions to the following problems must be 
provided. These solutions are discussed in separate sections. 

(1) A method to identify the logical elements of the data base. 

(2) A representation of the types of access the user can have to the data base. 

(3) A concept on which a user can assign and change access types of other 
users to his data base.~ 

(4) A methodology for effective implementations of various access control 
requirements as specified in the access types. 



"vl Identification of the I x)eical Elements of the Data Base 

Logical elements in the data base must be uniquely identified so that the system 
can resolve their different identities and control access to individual elements. 
However, the burden of assigning unique identifiers to individual elements^ of 
data base should not be placed on the user. One requirement is therefore that the 
system, not the user, has the responsibility to assign a unique identification 
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number to each and every datum In the data base. What the user must have Is a 
means to describe his logical elements for access control purpose and to specify 
his access control requirements for these elements. In order to describe his 
logical data elements for access control purpose, the user must be able to declare' 
their structures; and in order to provide a priori and posterior controls over 
access to these cata elements, the user must be able to specify their authentication 
and checking procedures. We note that the user already has a data description 
language for declaring data structure in data base creation and a data manipulation 
language for specifying data base management requirements. It follows that the 
same data description language may be used to declare the structure of the 
logical elements for access control purpose. The use of the same description 
language for both data base creation and control not only is expeditious but also 
eliminates the possibility of false identification due to ambiguity in language 
translation. Similarly, the same data manipulation language may be employed 
to specify the authentication and the checking procedure for access control to data 
base elements. Thus, a second requirement is that the means employed to describe 
elements of the data base for access control purposes and to specify their access 
control requirements should be the same as the ones used to declare data structure 
and to specify data manipulation reqi'lrements for data base creation and processing. 

These are indeed the requirements that both PSF and EDMF attempted to meet. 
In both these systems elements of the data base are identified as fields, group 
of fields, keywords, records and files. References to fields are made by field 
names, to groups by group names and relations of the fields, to record by selection 
criterion in terms-of Boolean and arithmetic expressions of fields and field names, 
and to files by file names. All these names and expressions can be used in the 
procedures for data definition, manipulation and access control purposes. In 
PSF, procedures can be written in either data description and manipulation 
command languages or data management assembly language macros. In EDMF higher- 
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level languages such as FORTRAN and COBOL have been extended to include data 
definition manipulation and access control facilities* 

11.2 Representation of Access Types 

We represent the types of access a user has to the data base as an authority 

item. 

Conceptually, there is one-to-one correspondence between the users and the 
authority items* 

An authority item consists of the following: 

1. User identification 

2. Names of all his accessible files 

3. Options regarding the use of the files. Some of the options are listed 
below; 

ND Directory reading is not allowed 

RR Read records only 

RE Read either directory or records 

RW Read or write records 

IB Temporarily block the access of other users while the file is 

being modified 
OWN Own the file 

4. Program entries for file-level procedural authentications. 

5. Record access control descriptions (i.e.. Boolean and arithmetic expression 
of keywords, field names and fields) 

For opening portions of files, 

For being temporarily blocked from access to portions of files. 
For allowing or denying ones use of certain portions of files. 

6. Program entries for record-level procedural checking. 
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7. Field access control descriptions (i.e., Boolean and arithmetic 
expression of field and field names) 

8. Program entries for fie Id- level procedural checking. 

The entire collection of the authority items may be viewed as an access 
control matrix with the user identified with the rows and logical units of data 
base the colunms. The entry A^^ contains a series of access privileges and restric 
tlons held by user u to logical unit v. 
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For Implementation the matrix Is too sparse to be stored as It Is . For ease 
of change and update of access privileges and restrictions, the matrix should 
be organized as any other records of a (system) file. Because access privileges 
and restrictions to the same data units differ from one user to another, and 
because there are more data types than users, the Implementation of authority 
items as records Is user oriented Instead of data type oriented. In other words, 
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there is one authority item for a user* 

II. 3 The Concept of Ownership 

Ue introduce the concept of ownership to facilitate for the user the granting 
and denying of access privileges. 

A user can grant and deny other users access to a tiie if he is the owner 
of the file. 

The system administrator is a universal owner. Since he owns the file of 
authority items » he effectively owns every file in the system. To become an 
owner of a file the user must satisfy and comply with a set of rules and regula- 
tions which may vary from one installation to another. Nhen a user becomes an 
owner of a file» the system assigns an OWN option for the file in Jhe user's 
authority item. In the present implementations » the creato^^f a file will auto- 
matically become the owner of the file. As an owner of the file» the user can 
grant and deny any other users access to that file. In other words » a user with 
OWN option on a file can assign any option to other users for the file. 

In particular » he may cause another user to be a co-owner of the file by 
assigning OWN option to that user. 

The use of data management commands and macros by a user is dictated by the 
user's assigned options in his authority items. 
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Options to be provided to the system 
by the user's authority Item to 
permit use of the command 


Some of the Coimnands 


None 


New File 


Oim 


Delete File 


WLfVEfVm or OWN 


(^en File 


None 


Close File 


Own 


Access File 


mm 


No-*Access File 


IB or Own 


Teiq>orarily Block File 


None 


Unblock File 


RW or Own 


Reorganize File 


None 


Log-in for a File 


Own 


Enter a log-in Program 



Service Name 
Combinations 



Data 

Hanagement 
Hacros 



- FQ 



Meaning 

(Retrieve a key from the directory of a 
specific File) 

FQ (Enter a record into a specific file) 

FQ (Restore a record back to a specific file) 

NIM - PQ (Delete record by core address) 

DL - PQ - C, SYS, MP, MU, OR D 

(Delete record by description where 
« record may contain an assembly program, 

command language procedure, system informa- 
tion or data) 

^DL - FQ (Retrieve a record from a specific 

file) 

(Retrieve a record by 'external' 
description from a specific file) 

(Get the address of a parameter of 
the record-processing program) 

C, S, RES," DuP, EXC, SYS, MP, MU OR D 
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A typical service call has the following form: 

GSR P,(Sj, Sjt S^,...,S^) 

Where GSR Is the macro namet S^ are service names » and P Indicates addltlbiial 

parameter Involved with services. For example^ the call 

GSR ,(IT, FQ) 

will enter a record from core (address In ac register) to the file named In 

mq register. 

In summary^ the concept of ownership establishes for the system a hierarchy 
of users as follows: 




System Administrator 

(1) Oims all files, 

(2) Can use all data management 
commands and macros » 

(3) May authorize other users 
to use his files » 

(4) Is subjected to further rules 
and regulations* 



File Owners 

(1) Own private flies » 

(2) Can use all data management 
commands and macros > 

(3) May authorize other users to' use 
their files. 




Non-Owner Users 

(1) Do not own the files » 

(2) Can use some data management 
commands and macros » 

(3) May not authorize others to 
use the files. 
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II#4 Effective Implementations 

Regardless the type of access, the user may desire, there is a security procedure 
through which all access to the data base must be validated and monitored. 
1« Identify the command or macro call 

2« Check to see whether the user has access to the files involved 

3. If user has access to a file, then check to see whether the file is 

currently open for his use. 
4« If the file is open, then check to see if user has the proper file- 
option with respect to the call (e.g., read-only option for retrieval, 
write option for iiQ>ut, etc.). 

5. If a user has the correct option-^or using the file, set up certain 
necessary information for the system programs involved. 

6. Call the proper system program or programs to perform the requested 
service. 

7. Keep track of the status of the service. Since a service may not be 
cooq[>leted without repeated calls, it is necessary to save some information 
for the continuation of the service at a later time* 

8. I^date and save the information that was originally sep up for the 
system programs. 

9. Continue the service on next open file, if step 3 involves more than one 
open- file. 

10* Hake sure that a record to be outputted is one belonging to the open 
portion of a file, not teas>orarily blocked from use by others, and not 
permanently protected from access* 

11. Satisfy the procedural checking at record level. 

12. Make certain that fields protected from access are removed from the 
output ting record. 

13. Satisfy the procedural checking at field level. 
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Let us discuss some of the steps in the security procedure. 
Steps 1 and A require the system to identify the types of options which are 
necessary for the issuance of the particular command or macro call. As was 
indicated in previous sections, the^jd^at^ management comniands and macros that 
a user can exercise are determined by the type of options assigned to him. For 
example, without the OWN option the user is not permitted to delete a file through 
the issuance of the data management command DELETE FILE or the macro call 
IM-DL-FQ (with a Boolean expression characterized all records in the file). 
To this end, the system consults the user's authority item. Since options 
regarding a file are always associated with the name of the file as a part of the 
third entry in the authority item, the system can determine whether the user has 
proper options for the use of that command or macro call. 

For step 2, the system consults the second entry of the authority item. 
We note that in this entry the names of all the accessible files to the user are 
listed; but files which are not accessible to him do not have their names in 
his authority item. In other words, inaccessible files are completely transparent 
to the user. 

The inclusion of step 3 in the security procedure provides for a file owner 
the first opportunity to eiq>loy authentication programs to screen all users of 
the file. Typically an authentication program for a file consists of a set of 
user-written routines which are loaded into the system by the file owner through 
the use of the command ENTER-A-LOGIN-PROGRAM at the time of the file creation. 

Althou^ the program may demand various input from the user, it always produces 
either one of two standard output indicating whether there is either a positive 
or negative authentication. Since programs written for the authentication purpose 
can use data management macrds? they can store and retrieve information regarding 
the number of file opening attempts and the combinations of user passwords. 

We note that the program entry points for file- level checking are placed 
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in the fourth entry of the authority item* Thus» thoughtful use of the 
authentication programs (also known as log in procedure) at file level can 
provide very good protection of the file as a vhole* 

Steps 5 through 9 are self-explanatory* We shall not elaborate here* 
In step 10 the security procedure carries the access control form the file level 
as in step 3 to the subfile level* By using Boolean and arithmetic expressions 
of keywords » fields and field names as a means to partition a file into subfiles, 
th3 system can control access to the subfiles. However, in this case the parti- 
tions are virtual and no subfiles are actually being generated* The reasons for 
not physically making duplicate subfiles are to safeguard the integrity of the data 
base on the one hand and to facilitate update on the other hand* Virtual subfiles 
can be created readily by introducing new Boolean and arithmetic expressions* In 
fact, there can be a multiplicity of subfiles for various access control purposes 
as ^illustrated below* 
A FILE 



RECORDS PERMANENTLY PROTECTED 
FROM ACCESS 




RECORDS BELONGED 
TO OPEN PORTION OF 
THE FILE 



RECORDS THAT ARE 
TEMPORARILY BLOCKED 
FROM USE BY OTHERS 



m 



VALID RECORDS 



INVALID 



THE- SUBFILES OF RECORDS IN A FILE SPECIFIED BY THREE TYPES OF EXPRESSION;. 
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On a need-to-know basis, many subfiles may be defined for the same files. 
The multiplicity of subfiles for various access control requirements may grow 
large* However ^ the mechanism needed by the system to verify whether a record 
belongs to a subfile Is strai^tforv7ard« Basically^ the verification of a 
record with respect to an expression can be characterized by the following table. 



Expression intended 
for* . • 


Does the record satisfy 
the expression? 


Validity of the 
Record 


Permanent protection 
from use 


Yes 


Invalid 


Mo 


Valid 


Teiq>orarily open 
for use 


Yes 


Valid 


Mo 


Invalid 


Teoq>orarily blocked 
by others from use 


Yes 


Invalid 


Mo 


Valid 


• 
• 
• 


• 
• 
• 


• 

• 
• 



From the above table » we note that an accessible record is a record which 
has been validated by every security check at the subfile level. These valida- 
tions can be easily mechanized as depicted in Fig* 5* 

In step 11 f the system allows procedures incorporated by the file owner 
to check records which become accessible to a user. Whereas in step 3 access 
control Is at the file level and in step 10 access control is at the subfile 
levels this step eaables the control of access at record level* By allowing the 
file owner to develop his own record checking procedure » records which are already 
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accessible to other users can be subject to further checking and auditing. 

In step 12 9 the system performs posterior checking of protected field names. 
We note that the checking can only take place after the record has been retrieved 
from secondary storage into system* s working area. In contrast to posterior 
checking^ a priori checking of field names and fields at query time involves 
the removal of all the protected keywords » field names and fields from the userU 
data management coomands and macro calls before the first step of the security 
procedure is to be invoked* In this vay^ no access will be initiated by any 
invalid keywords. Step 13 Is the last step in the security procedure. It is in 
this step that access control is finally brought to the user at the field level. 
Because many access control requirements are dependent upon some combination of 
field names and/or values, matching of names and computing of values must take 
place dynamically. By incorporating these matching and computing procedures at 
the field levels the file owner can have direct control of other users access to 
his individual datum. 



III. SU>«ARY 

We have discussed a simple logical access control system abstracted from 
the concepts and features of two experimental data base management systems 
known as PSF and EOME. The highlights of the system are as follows: 

1. Logical references for both data base access and access control - no 
reference to physical memory organization Is made. 

2. Flexible compartmentallsatlon technique to aggregate Information for access 
control - The aggregates are flies, subfiles, records and fields. The use 
of Boolean and arithmetic expressions as a means to coo^artmentallze the 
files, records and fields ellmlnatr.5 the need of creating subfiles physically. 
Furthermore, expressions are stored In authority Items and away from 
compartmentalised data. This procedure allows flexible change of compartments 
by simply undatlng the expressions. 

3. Procedural approaches for further checking and authentication - At each logical 
level (I.e., file, subfile, record or field level) the file owner can Introduce 
his own programs for auditing, monitoring and acreenlng other users of his 
data base. 

4« Modular security procedure - The use of procedural checking and compartmentallsa- 
tion means by the user can vary. On the one hand, for public files there 
can be no compartmentallzatlon of data within the files and no procedural 
checking at any level. On the other hand, multi-level checking on well- 
compartmentalized files can be demanded by the file owners. The security 
procedure is modular so that it can systematically invoke the right degree 
of security checking to support the user's security requirements. 

5. Interlocking mechanism for blocking and unblocking multiple access to the 
same data aggregates - This mechanism is needed In an on-line environment 
where, for example, one user may update some data aggregates and another 
user Bwy want to access the same data aggregates before the coiq>letlon of 
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the update. 

A priori and posterior control of field level access - A priori control is 
performed at assembly time of query statements. Posterior control is enforced 
at the time that an aggregate of data is about to be outputted to the 
user. The former is intended to prevent any access from taking place as a 
result of an invalid query; the latter is designed to remove small datum of 
highly classified nature from system output. 

Ease of use - The introduction of the concept of ownership enables the users 
of the system to have an orderly vay of obtaining and denying access privileges 
and restrictions. Because access control information is stored* in the 
authority items » as records of a system file, it can be updated very easily 
by the system administrator. Furthermore, the separation of access control 
information from the raw data enables the change of a user's access require* 
ments without having to process the raw data base. 
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